Computer Forensics (4) (By Jeff) Flashcards
What is the order of volatility in computers?
The order of volatility describes how susceptible data stored at a given location is to change.
In computers, the most volatile location is the CPU registers which change value on an instruction execution basis. Following closely are the L1 and L2 caches situated on the CPU die. Due to the principal of locality, these change content almost whenever there is a context switch on the CPU (a new process starts running). Below is the L3 cache which acts similarly to L1 and L2. Next is main memory which contains the instructions and data for actively running processes. All the above are considered volatile since the data is wiped whenever the power shuts off. The disk (HDD/SSD) is non-volatile and holds by far the most data.
What is a write blocker?
Write blockers are specialized pieces or hardware that enable the copying of one disk’s content over to another. The key advantage with such devices is that they carry out such copying procedures without writing to the disk being copied. Therefore, evidence integrity is maintained. Write blockers are however quite expensive, which is a major downside when you often need several due to the many different disk interfaces . e.g., SCSI. SAS, and IDE.
What are the two key components of an HDD?
The two main components of any HDD are the heads and platters. A head is much like an arm capable of reaching to different points/radii on the platter. Heads in an HDD can both read from and write data to a platter. For every platter there are two heads so that each side of the platter may be utilized. The platter itself is a disk covered by a magnetized coating. An HDD tends to have several rows of platters.
What are tracks, sectors, and clusters on a platter?
Tracks are circles of a given diameter on the platter.
A sector is a portion of a track (the tracks with greater diameters will have more sectors). Sectors are the smallest addressable units on an HDD and typically consists of 512-4,096 bytes.
To ensure efficient read and write times, HDDs tries to store data contiguously (avoid fragmenting files over different parts of the disk). As files tend to be much larger than a couple hundred bytes, there is usually a need for more than one sector. The solution employed in most file-systems is to assign a collection of sectors to any file, regardless of size. Such a collection is known as a cluster, and typically contains 8 sectors.
What are partition tables?
A partition table is a method for logically partitioning a disk into different partitions. The OS uses a partition table when accessing disk. An example of a partitioned physical disk is one partitioned into two logical ones, e.g., C and D
What are the two different types of partitions?
Primary partitions are sections of a disk within which an operating system can be stored. Upon boot, a single primary partition will be marked as active. Only the active partition may be accessed during boot. Each primary partition is assigned its own file system.
Extended partitions are used for logical drives, i.e., the partition of an area of the disk. This is handled by the OS so there is no need for a separate file system.
What is MBR and GPT?
MBR is an old disk partitioning scheme present in Windows 7 and older. It allows for 4 primary partitions and a 2 TB capacity per partition.
GPT is a newer scheme used in Windows 10. It allows for 128 primary partitions and 9.4 ZB (a fuckin load) per partition. BPT is also MBR compatible.
What are the two kinds of imaging one can perform on a disk? What is the difference?
Physical images copies all the bytes on the target device such that an identical physical copy is obtained.
Logical images copy all the files visible for the file system.
Physical images enable investigators to recover deleted files and inspect slack data. Essentially, physical images allow investigators to examine data not visible to the file system.
Name examples of important information that may be found in volatile memory.
When performing response on a malware related incident, much of the valuable data will only reside in main memory. Most of the valuable information on a malicious running process will be found in mm.
Another example are the keys used for decrypting an encrypted disk which may contain valuable evidence.
Name some of the most important tools for computer forensics.
FTK Imager is a widely used tool capable of imaging without chaniging the original content. It also provides tools for examination, analysis, and documentation. It works for most operating systems.
Redline allows the capture of volatile memory as well as inspection of file system, event logs, and a threat assessment profiling tool.
